Synapse vulnerable to leak of remote user device information
CVE-2023-43796

5.3MEDIUM

Key Information:

Vendor: Matrix-org
Status: Synapse
Vendor: CVE Published:; 31 October 2023

What is CVE-2023-43796?

Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a workaround, the federation_domain_whitelist can be used to limit federation traffic with a homeserver.

Affected Version(s)

synapse < 1.95.1

References

https://github.com/matrix-org/synapse/security/advisories...

x_refsource_CONFIRM

https://github.com/matrix-org/synapse/commit/daec55e1fe12...

x_refsource_MISC

https://lists.fedoraproject.org/archives/list/package-ann...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 31, 2023
Vulnerability Reserved
Sep 22, 2023

Matrix-org

What is CVE-2023-43796?

Affected Version(s)

References

CVSS V3.1

Timeline